On 2023-03-28 20:37:56 -0300, Antonio Terceiro wrote: > Still, I see no evidence that this is caused by the Ruby interpreter. > For example apt-listbugs uses a SOAP library that is severely > unmaintained upstream and has been on life support for some time now. It > could be that library that is doing crazy things when the server does > not reply in exactly the way it expects.
Note that in both failures, a line of the source, e.g. /usr/lib/ruby/3.0.0/uri/generic.rb or /usr/lib/ruby/3.0.0/bundler/vendor/uri/lib/uri/generic.rb for " # returns password\n" in my case in 2022, and /usr/lib/ruby/vendor_ruby/aptlistbugs/logic.rb for " if /proxy_detect='(.*)'/ =~ `apt-config \#{@apt_conf} shell proxy_detect acquire::http::proxy-auto-detect`\n" in the other case a few days ago, is regarded by the Ruby interpreter as a String. Has any .rb library, even if severely buggy, the power to do that? Otherwise, could it be that apt-listbugs invokes the `default' method of some object obtained by SOAP, but this would mean that the server sends some part of .rb code as a String object in some cases? (This seems rather unlikely, and that could imply a security issue on the client side, if the client doesn't check what it receives.) IMHO, this looks like some kind of pointer corruption. -- Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)